mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
180 lines
10 KiB
Plaintext
Executable File
180 lines
10 KiB
Plaintext
Executable File
|
|
#!/bin/bash
|
|
|
|
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
|
|
# this file except in compliance with the Elastic License 2.0.
|
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
|
|
|
INTCA=/etc/pki/tls/certs/intca.crt
|
|
|
|
. /usr/sbin/so-common
|
|
. /usr/sbin/so-elastic-fleet-common
|
|
|
|
# Deleting Elastic Fleet data...
|
|
|
|
# Check to make sure that Elasticsearch is up & ready
|
|
RETURN_CODE=0
|
|
wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
|
|
RETURN_CODE=$?
|
|
|
|
if [[ "$RETURN_CODE" != "0" ]]; then
|
|
status "Elasticsearch not accessible, exiting Elastic Fleet setup..."
|
|
exit 1
|
|
fi
|
|
|
|
ALIASES=".fleet-servers .fleet-policies-leader .fleet-policies .fleet-agents .fleet-artifacts .fleet-enrollment-api-keys .kibana_ingest"
|
|
for ALIAS in ${ALIASES}
|
|
do
|
|
# Get all concrete indices from alias
|
|
INDXS=$(curl -K /opt/so/conf/kibana/curl.config -s -k -L -H "Content-Type: application/json" "https://localhost:9200/_resolve/index/${ALIAS}" | jq -r '.aliases[].indices[]')
|
|
|
|
# Delete all resolved indices
|
|
for INDX in ${INDXS}
|
|
do
|
|
status "Deleting $INDX"
|
|
curl -K /opt/so/conf/kibana/curl.config -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${INDX}" -XDELETE
|
|
done
|
|
done
|
|
|
|
# Restarting Kibana...
|
|
so-kibana-restart
|
|
|
|
# Check to make sure that Kibana API is up & ready
|
|
RETURN_CODE=0
|
|
wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
|
|
RETURN_CODE=$?
|
|
|
|
if [[ "$RETURN_CODE" != "0" ]]; then
|
|
printf "Kibana API not accessible, exiting Elastic Fleet setup..."
|
|
exit 1
|
|
fi
|
|
|
|
printf "\n### Create ES Token ###\n"
|
|
ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value)
|
|
|
|
### Create Outputs & Fleet URLs ###
|
|
printf "\nAdd Manager Elasticsearch Output...\n"
|
|
ESCACRT=$(openssl x509 -in $INTCA)
|
|
JSON_STRING=$( jq -n \
|
|
--arg ESCACRT "$ESCACRT" \
|
|
'{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' )
|
|
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
|
|
printf "\n\n"
|
|
|
|
printf "\nCreate Logstash Output Config if node is not an Import or Eval install\n"
|
|
{% if grains.role not in ['so-import', 'so-eval'] %}
|
|
LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt)
|
|
LOGSTASHKEY=$(openssl rsa -in /etc/pki/elasticfleet-logstash.key)
|
|
LOGSTASHCA=$(openssl x509 -in $INTCA)
|
|
JSON_STRING=$( jq -n \
|
|
--arg LOGSTASHCRT "$LOGSTASHCRT" \
|
|
--arg LOGSTASHKEY "$LOGSTASHKEY" \
|
|
--arg LOGSTASHCA "$LOGSTASHCA" \
|
|
'{"name":"grid-logstash","is_default":true,"is_default_monitoring":true,"id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055", "{{ GLOBALS.manager }}:5055"],"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]},"proxy_id":null}'
|
|
)
|
|
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
|
|
printf "\n\n"
|
|
{%- endif %}
|
|
|
|
printf "\nCreate Kafka Output Config if node is not an Import or Eval install\n"
|
|
{% if grains.role not in ['so-import', 'so-eval'] %}
|
|
KAFKACRT=$(openssl x509 -in /etc/pki/elasticfleet-kafka.crt)
|
|
KAFKAKEY=$(openssl rsa -in /etc/pki/elasticfleet-kafka.key)
|
|
{# KAFKACA=$(openssl x509 -in $INTCA) #}
|
|
KAFKACA=$(openssl x509 -in /etc/pki/tls/certs/intca.crt)
|
|
KAFKA_OUTPUT_VERSION="2.6.0"
|
|
JSON_STRING=$( jq -n \
|
|
--arg KAFKACRT "$KAFKACRT" \
|
|
--arg KAFKAKEY "$KAFKAKEY" \
|
|
--arg KAFKACA "$KAFKACA" \
|
|
--arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \
|
|
'{ "name": "grid-kafka", "id": "so-manager_kafka", "type": "kafka", "hosts": [ "{{ GLOBALS.manager }}:9092", "{{ GLOBALS.manager_ip }}:9092" ], "is_default": false, "is_default_monitoring": false, "config_yaml": "", "ssl": { "certificate_authorities": [ $KAFKACA ], "certificate": $KAFKACRT, "key": $KAFKAKEY, "verification_mode": "full" }, "proxy_id": null, "client_id": "Elastic", "version": $KAFKA_OUTPUT_VERSION, "compression": "none", "auth_type": "ssl", "partition": "round_robin", "round_robin": { "group_events": 1 }, "topics": [ { "topic": "zeek-logs", "when": { "type": "equals", "condition": "event.module:zeek" } }, { "topic": "suricata-logs", "when": { "type": "equals", "condition": "event.module:suricata" } }, { "topic": "strelka-logs", "when": { "type": "equals", "condition": "event.module:strelka" } }, { "topic": "opencanary-logs", "when": { "type": "equals", "condition": "event.module:opencanary" } }, { "topic": "system-logs", "when": { "type": "equals", "condition": "event.module:system" } }, { "topic": "kratos-logs", "when": { "type": "equals", "condition": "event.module:kratos" } }, { "topic": "soc-logs", "when": { "type": "equals", "condition": "event.module:soc" } }, { "topic": "rita-logs", "when": { "type": "equals", "condition": "event.module:rita" } }, { "topic": "default-logs" } ], "headers": [ { "key": "", "value": "" } ], "timeout": 30, "broker_timeout": 30, "required_acks": 1 }'
|
|
)
|
|
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
|
|
{% endif %}
|
|
|
|
# Add Manager Hostname & URL Base to Fleet Host URLs
|
|
printf "\nAdd SO-Manager Fleet URL\n"
|
|
if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
|
|
JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220"]}')
|
|
else
|
|
JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.hostname }}:8220"]}')
|
|
fi
|
|
|
|
## This array replaces whatever URLs are currently configured
|
|
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/fleet_server_hosts" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
|
|
printf "\n\n"
|
|
|
|
### Create Policies & Associated Integration Configuration ###
|
|
# Load packages
|
|
/usr/sbin/so-elastic-fleet-package-load
|
|
|
|
# Load Elasticsearch templates
|
|
/usr/sbin/so-elasticsearch-templates-load
|
|
|
|
# Manager Fleet Server Host
|
|
elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" "120"
|
|
|
|
#Temp Fixup for ES Output bug
|
|
JSON_STRING=$( jq -n \
|
|
--arg NAME "FleetServer_{{ GLOBALS.hostname }}" \
|
|
'{"name": $NAME,"description": $NAME,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":120,"data_output_id":"so-manager_elasticsearch"}'
|
|
)
|
|
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_{{ GLOBALS.hostname }}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
|
|
|
|
# Initial Endpoints Policy
|
|
elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false" "1209600"
|
|
|
|
# Grid Nodes - General Policy
|
|
elastic_fleet_policy_create "so-grid-nodes_general" "SO Grid Nodes - General Purpose" "false" "1209600"
|
|
|
|
# Grid Nodes - Heavy Node Policy
|
|
elastic_fleet_policy_create "so-grid-nodes_heavy" "SO Grid Nodes - Heavy Node" "false" "1209600"
|
|
|
|
# Load Integrations for default policies
|
|
so-elastic-fleet-integration-policy-load
|
|
|
|
# Set Elastic Agent Artifact Registry URL
|
|
JSON_STRING=$( jq -n \
|
|
--arg NAME "FleetServer_{{ GLOBALS.hostname }}" \
|
|
--arg URL "http://{{ GLOBALS.url_base }}:8443/artifacts/" \
|
|
'{"name":$NAME,"host":$URL,"is_default":true}'
|
|
)
|
|
|
|
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_download_sources" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
|
|
|
|
### Finalization ###
|
|
|
|
# Query for Enrollment Tokens for default policies
|
|
ENDPOINTSENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
|
|
GRIDNODESENROLLMENTOKENGENERAL=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes_general")) | .api_key')
|
|
GRIDNODESENROLLMENTOKENHEAVY=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes_heavy")) | .api_key')
|
|
|
|
# Store needed data in minion pillar
|
|
pillar_file=/opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls
|
|
printf '%s\n'\
|
|
"elasticfleet:"\
|
|
" enabled: True"\
|
|
" config:"\
|
|
" server:"\
|
|
" es_token: '$ESTOKEN'"\
|
|
" endpoints_enrollment: '$ENDPOINTSENROLLMENTOKEN'"\
|
|
" grid_enrollment_general: '$GRIDNODESENROLLMENTOKENGENERAL'"\
|
|
" grid_enrollment_heavy: '$GRIDNODESENROLLMENTOKENHEAVY'"\
|
|
"" >> "$pillar_file"
|
|
|
|
#Store Grid Nodes Enrollment token in Global pillar
|
|
global_pillar_file=/opt/so/saltstack/local/pillar/global/soc_global.sls
|
|
printf '%s\n'\
|
|
" fleet_grid_enrollment_token_general: '$GRIDNODESENROLLMENTOKENGENERAL'"\
|
|
" fleet_grid_enrollment_token_heavy: '$GRIDNODESENROLLMENTOKENHEAVY'"\
|
|
"" >> "$global_pillar_file"
|
|
|
|
# Call Elastic-Fleet Salt State
|
|
salt-call state.apply elasticfleet queue=True
|
|
|
|
# Generate installers & install Elastic Agent on the node
|
|
so-elastic-agent-gen-installers
|
|
salt-call state.apply elasticfleet.install_agent_grid queue=True
|
|
exit 0 |